URL:

https://s3.amazonaws.com/911fileupdate/911S5.rar

Full analysis: https://app.any.run/tasks/3edb020c-cc6b-4bb6-b02f-a72cfde7b3bc
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: May 22, 2019, 06:35:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MD5:

D77DCA75E84CB03DCFA4DB1127364ADA

SHA1:

5BE64A32C4B8B1A2931077CAFA09B81F43FEED63

SHA256:

CF2321E34DCBCEF213CED5CD593359CB26F21663B3691C2F372DFED6CAED9567

SSDEEP:

3:N8H7WtlHJAQVB4ENqn:2H6Jfhq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Client.exe (PID: 2868)
      • Client.exe (PID: 3104)
      • Client.exe (PID: 284)
      • Client.exe (PID: 2128)

    • Loads dropped or rewritten executable

      • Client.exe (PID: 3104)
      • SearchProtocolHost.exe (PID: 1976)
      • Client.exe (PID: 284)

    • Changes settings of System certificates

      • Client.exe (PID: 3104)

  • SUSPICIOUS

    • Adds / modifies Windows certificates

      • Client.exe (PID: 3104)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3276)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 1372)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1372)
      • iexplore.exe (PID: 2956)

    • Creates files in the user directory

      • iexplore.exe (PID: 2956)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1372)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1372)

    • Changes settings of System certificates

      • iexplore.exe (PID: 1372)

    • Manual execution by user

      • Client.exe (PID: 2128)
      • Client.exe (PID: 284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
8
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start iexplore.exe iexplore.exe winrar.exe client.exe no specs client.exe searchprotocolhost.exe no specs client.exe no specs client.exe

Process information

PID
CMD
Path
Indicators
Parent process
284"C:\Users\admin\Desktop\New folder\Client.exe" C:\Users\admin\Desktop\New folder\Client.exe
explorer.exe
User:
admin
Company:
911.re
Integrity Level:
HIGH
Description:
911 S5 Proxy Client
Exit code:
0
Version:
3.00.1470
Modules
Images
c:\users\admin\desktop\new folder\client.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\new folder\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1372"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1976"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2128"C:\Users\admin\Desktop\New folder\Client.exe" C:\Users\admin\Desktop\New folder\Client.exeexplorer.exe
User:
admin
Company:
911.re
Integrity Level:
MEDIUM
Description:
911 S5 Proxy Client
Exit code:
3221226540
Version:
3.00.1470
Modules
Images
c:\users\admin\desktop\new folder\client.exe
c:\systemroot\system32\ntdll.dll
2868"C:\Users\admin\AppData\Local\Temp\Rar$EXa3276.497\911S5 2018-0910\Client.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3276.497\911S5 2018-0910\Client.exeWinRAR.exe
User:
admin
Company:
911.re
Integrity Level:
MEDIUM
Description:
911 S5 Proxy Client
Exit code:
3221226540
Version:
3.00.1470
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3276.497\911s5 2018-0910\client.exe
c:\systemroot\system32\ntdll.dll
2956"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1372 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3104"C:\Users\admin\AppData\Local\Temp\Rar$EXa3276.497\911S5 2018-0910\Client.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3276.497\911S5 2018-0910\Client.exe
WinRAR.exe
User:
admin
Company:
911.re
Integrity Level:
HIGH
Description:
911 S5 Proxy Client
Exit code:
0
Version:
3.00.1470
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3276.497\911s5 2018-0910\client.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\rar$exa3276.497\911s5 2018-0910\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3276"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\F4O8S6J8\911S5[1].rar"C:\Program Files\WinRAR\WinRAR.exe
iexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
2 701
Read events
2 446
Write events
242
Delete events
13

Modification events

(PID) Process:(1372) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(1372) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1372) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(1372) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(1372) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1372) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(1372) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{DD2BCB39-7C5B-11E9-A370-5254004A04AF}
Value:
0
(PID) Process:(1372) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(1372) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
1
(PID) Process:(1372) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E307050003001600060024000200D200
Executable files
110
Suspicious files
17
Text files
52
Unknown types
19

Dropped files

PID
Process
Filename
Type
1372iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
1372iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1372iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFD5B27823997A8523.TMP
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\F4O8S6J8\911S5[1].rar
MD5:
SHA256:
1372iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF34C3B40BBEB80D82.TMP
MD5:
SHA256:
1372iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{DD2BCB39-7C5B-11E9-A370-5254004A04AF}.dat
MD5:
SHA256:
3276WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3276.497\911S5 2018-0910\911.config
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019052220190523\index.datdat
MD5:
SHA256:
3276WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3276.497\911S5 2018-0910\ca.crttext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
7
DNS requests
5
Threats
1 333

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
284
Client.exe
POST
100.43.168.2:800
http://login.911s5.net:800/login_cc.asp
US
unknown
3104
Client.exe
POST
100.43.168.2:800
http://login.911s5.net:800/login_cc.asp
US
unknown
3104
Client.exe
GET
200
2.16.186.56:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
unknown
compressed
56.1 Kb
whitelisted
1372
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1372
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3104
Client.exe
2.16.186.56:80
www.download.windowsupdate.com
Akamai International B.V.
whitelisted
3104
Client.exe
100.43.168.2:4433
userip.911s5.net
Krypt Technologies
US
unknown
3104
Client.exe
100.43.168.2:800
userip.911s5.net
Krypt Technologies
US
unknown
284
Client.exe
100.43.168.2:4433
userip.911s5.net
Krypt Technologies
US
unknown
284
Client.exe
100.43.168.2:800
userip.911s5.net
Krypt Technologies
US
unknown
2956
iexplore.exe
52.216.161.125:443
s3.amazonaws.com
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
s3.amazonaws.com
  • 52.216.161.125
shared
userip.911s5.net
  • 100.43.168.2
  • 174.139.8.2
  • 98.126.244.38
unknown
www.download.windowsupdate.com
  • 2.16.186.56
  • 2.16.186.81
whitelisted
login.911s5.net
  • 100.43.168.2
  • 174.139.8.2
  • 98.126.244.38
suspicious

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET TROJAN Overtoolbar.net Backdoor ICMP Checkin Request
A Network Trojan was detected
ET TROJAN Overtoolbar.net Backdoor ICMP Checkin Response
A Network Trojan was detected
ET TROJAN Overtoolbar.net Backdoor ICMP Checkin Request
A Network Trojan was detected
ET TROJAN Overtoolbar.net Backdoor ICMP Checkin Response
A Network Trojan was detected
ET TROJAN Overtoolbar.net Backdoor ICMP Checkin Request
A Network Trojan was detected
ET TROJAN Overtoolbar.net Backdoor ICMP Checkin Response
A Network Trojan was detected
ET TROJAN Overtoolbar.net Backdoor ICMP Checkin Request
A Network Trojan was detected
ET TROJAN Overtoolbar.net Backdoor ICMP Checkin Response
A Network Trojan was detected
ET TROJAN Overtoolbar.net Backdoor ICMP Checkin Request
A Network Trojan was detected
ET TROJAN Overtoolbar.net Backdoor ICMP Checkin Request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://s3.amazonaws.com/911fileupdate/911S5.rar